My interview with Dan Geer, CTO of Verdasys, a data loss prevention company, begins with a retelling of a scene from a Disney movie, Fantasia "when Mickey Mouse orders the broom in effect to bring water and then doesn't know how to turn it off," said Geer. "We all want more data, and I don't know that we know how to turn it off." With increasing numbers of home digital photos and purchased online music being stored on our 80GB hard drives and external media, is there a difference between the problems today in securing corporate assets, such as customer data at large retail stores such as TJX, and personal home computer assets? Geer thinks not, and he offers some surprising ideas, including the concept that you may one day have different computers for different purposes instead of that one general purpose Windows XP machine.

Data loss
Geer begins by invoking an emergent idea within the computer security community--do away with the traditional perimeter defense thinking. "Corporate data protection has got to be…one that doesn't rely on the idea of perimeter control. It has to rely instead on the idea that data is protected where it is and if I allow people to put it on laptops, they have to protect it on the laptops. If I allow them to put it on their hand-held device, it has to protected there. If I allow them to keep it on a network share, it has to be protected there." Geer said data must to be protected where it is.

	If you're engaging in a transaction with someone else, you have the following interesting question: You have to assume that a percentage--perhaps even better than half--of the people you're engaged with have lost control of their machine.

Geer said probably the greatest source of data loss for the average person is the failure to back up data. The second might be the lack of encryption. He said Microsoft and other operating systems have made it easier for the personal user to encrypt the entire hard drive, so that if you lose your laptop in a taxi, what you leave behind is essentially a brick. He said that "if you combine the idea that I have a separate copy of everything, I have a backup of everything that I care about, and if the physical device is stolen, then what they stole was a brick." Thus, there should be no reason for personal users to lose their data.

Invaders
Yet physical loss is not the only kind of loss confronting users these days. What happens if you have an invader in your personal system rifling through your files? "That's actually a big problem, and I don't have a good solution for that because I don't think that a security design of any sort that relies on…the cooperation of the general public is going to work. I guess that sounds mean, but I have to go there." Geer isn't sure what advice to offer except to raise the issue.

I know in the (pharmaceutical) clinical trials business these days, they have long since found that it's far cheaper and safer not to install software on the doctors desktop(s) but to send them a laptop that is configured and locked down.

"(Awhile) ago I wrote an editorial in which I...did some numbers, and I guessed that 15 percent to 30 percent of all home PCs were under someone else's control, at least in part." He said he got a certain amount of hate mail afterward, but soon after that, Microsoft said that figure was close to 40 percent and IDC said it was closer to three quarters. "Of course, we're all using different definitions, but, regardless of who is right about that, it's just substantial (portion)." So, if "you're engaging in some sort of transaction, whether it's just an e-mail message or 'take a look at this file,' or 'I would like to fill out a form,' whatever it is--if you're engaging in a transaction with someone else, you have the following interesting question: You have to assume that a percentage--perhaps even better than half--of the people you're engaged with have lost control of their machines."

Healthcare example
A possible solution might be found today within the pharm industry. "An awful lot of the security solutions that we've all talked about for the last 15 or 20...years have been...with the assumption the OS is clean and how can we keep it that way. At the moment, I don't think we can start from that assumption. Hence, what do you do about that?

"I know in the (pharmaceutical) clinical trials business these days, they have long since found that it's far cheaper and safer not to install software on the doctors' desktop(s), but to send them a laptop that is configured and locked down and can only be used for collecting the data for the thing--it's just easier to do as a management problem. Is that what we're going to? I don't know if we do that in the home world or not, but it's close to that, I'm reasonably certain that both for the corporate world and for the home computing world, that nearly nobody these days wants a general-purpose computer. By 'general purpose,' I mean what an engineer would think of as a general-purpose computer."

A computer for every use
What they want is some sort of appliance. In the corporate world, I want this locked down such that the job function of the person sitting in front of it is all that it performs--no more, no less. Geer says "in the home world,...I don't have a need to program or do abstract math modeling or anything else. I just want something that allows me to read the news, listen to my music and so forth."

"Nobody really wants the general-purpose computer and it's the general purpose-ness that in a sense gets in the way of finding a good security solution," said Geer. "So, perhaps the answer for the home user or somebody like that is--and I don't know anybody who has done this--is find a product whose job is to lock him down." Geer suggests finding a product that makes your Windows Vista Home edition less like a general-purpose machine. "Remove the C compiler, you know, remove the ability to reconfigure the network". Does such a product exist? Geer said he isn't aware of such a product.

An industry
"I do know two people who are making a good living these days being what I can only call computer valets. They go around from house to house, cleaning up people's computers, often while they're not there. Folks have lost control (of their computers) and they know it. People will hire house cleaners; they will also hire computer cleaners these days...Maybe that's the answer."

Geer might strike you as some crazed curmudgeon. He's not. He offers a fresh perspective on data loss prevention, a hot topic today, given the acquisition of several DLP companies by Symantec, Trend Micro, and McAfee, but which often is rather dry. I have more observations from Dan Geer which I hope to highlight and share in the weeks ahead.

For more on on this part of the conversation, hear my latest Security Bites podcast here.

Should personal computers be less general purpose and more specific to one's needs? TalkBack to me.